none
Azure Blob Storage Encryption with X509Certificate2 certificate

    Question

  • Hi,

    I am trying Azure blob client side encryption.

    I have following code -

    public async Task<CloudBlockBlob> Upload(HttpPostedFileBase file)
            {
                string blobName = "xxx";
                // GET a blob reference. 
                CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
                
                using (var fs = file.InputStream)
                {
                    X509Certificate2 certificate = new X509Certificate2("xxx.pfx",
                    "password", X509KeyStorageFlags.MachineKeySet);
                    var provider = new AsymmetricBlobCryptoProvider(certificate);
                    Stream encryptedStream = provider.EncryptedStream(fs);
                    await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);
                }

                blob.Properties.ContentType = file.ContentType;
                blob.SetProperties();

                return blob;
            }
    I get error at await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);

    The error is 'stream does not support reading'.

    Please suggest.

    My keys are not stored on Azure Key Vault. I am using my own X509Certificate2 certificate for encryption.

    Please suggest how to upload encrypted file using your own X509Certificate2 certificate?
    Monday, May 30, 2016 12:25 PM

All replies

  • Hi,

    I am trying Azure blob client side encryption.

    I have following code -

    public async Task<CloudBlockBlob> Upload(HttpPostedFileBase file)
            {
                string blobName = "xxx";
                // GET a blob reference. 
                CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
                
                using (var fs = file.InputStream)
                {
                    X509Certificate2 certificate = Security.GetCertificateFromFile();
                    var provider = new AsymmetricBlobCryptoProvider(certificate);
                    Stream encryptedStream = provider.EncryptedStream(fs);
                    await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);
                }

                blob.Properties.ContentType = file.ContentType;
                blob.SetProperties();

                return blob;
            }

    I get error at await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);

    The error is 'stream does not support reading'.

    Please suggest.

    Wednesday, May 18, 2016 9:31 AM
  • Hi,

    I am trying Azure blob client side encryption.

    I have following code -

    public async Task<CloudBlockBlob> Upload(HttpPostedFileBase file)
            {
                string blobName = "xxx";
                // GET a blob reference. 
                CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
                
                using (var fs = file.InputStream)
                {
                    X509Certificate2 certificate = Security.GetCertificateFromFile();
                    var provider = new AsymmetricBlobCryptoProvider(certificate);
                    Stream encryptedStream = provider.EncryptedStream(fs);
                    await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);
                }

                blob.Properties.ContentType = file.ContentType;
                blob.SetProperties();

                return blob;
            }

    I get error at await blob.UploadFromStreamEncryptedAsync(provider, encryptedStream);

    The error is 'stream does not support reading'.

    Please suggest.


    Wednesday, May 18, 2016 9:32 AM
  • Hi,

    Thank you for posting here,

    Are you following this document to Azure blob client side encryption?

    Be aware of these important points when using client-side encryption:

    • When reading from or writing to an encrypted blob, use whole blob upload commands and range/whole blob download commands. Avoid writing to an encrypted blob using protocol operations such as Put Block, Put Block List, Write Pages, Clear Pages, or Append Block; otherwise you may corrupt the encrypted blob and make it unreadable.

    • If you set metadata on the encrypted blob, you may overwrite the encryption-related metadata required for decryption, since setting metadata is not additive. This is also true for snapshots; avoid specifying metadata while creating a snapshot of an encrypted blob. If metadata must be set, be sure to call the FetchAttributes method first to get the current encryption metadata, and avoid concurrent writes while metadata is being set.

    • Enable the RequireEncryption property in the default request options for users that should work only with encrypted data. See below for more info.

    Regards,

    Vikranth S.


    Thursday, May 19, 2016 8:54 AM
    Moderator
  • I am not following that document. My keys are not stored on Azure Key Vault. I am using my own X509Certificate2 certificate for encryption.

    Could you please suggest how to upload encrypted file using your own X509Certificate2 certificate?


    Thursday, May 19, 2016 3:23 PM
  • As per my understanding you're using the Azure Encrypytion Extension project. The method UploadFromStreamEncrypted take an unencrypted stream. If you remove the line 

    Stream encryptedStream = provider.EncryptedStream(fs);

    and pass in the file.InputStream in the UploadFromStreamEncrypted you should be good to go. 

    You can see the functional test here https://github.com/stefangordon/azure-encryption-extensions/blob/master/AzureEncryptionExtensionsTests/FunctionalTests.cs

    Monday, May 30, 2016 2:10 PM